Heartbleed Isn't Dead  300,000 Servers Are Still Exposed  But Here’s How You Can Protect Yourself

Monday

Jun 23, 2014 at 9:57 AM

Dave Smith

The massive security vulnerability known as "Heartbleed" dominated headlines for most of April, but more than 300,000 servers are still susceptible to Heartbleed, according to Errata Security researcher Robert David Graham (via ZDNet).

Heartbleed is a vulnerability in the way your web browser talks to a website over an encrypted channel. This leaves your communication open to potential attackers looking for information linked to banks, e-commerce sites, and other places around the web that use your identifying information.

The Heartbleed bug remained hidden in the OpenSSL software that secures web communications for years, until it was first discovered on April 1 by Neel Mehta of Google’s security team.

When Heartbleed was initially announced, Graham said there were about 615,268 servers vulnerable to the bug. A month later, he found only 318,239 vulnerable servers, meaning about half of the servers exposed to Heartbleed had been patched. But Graham’s most recent findings announced Saturday, which show 309,197 servers still vulnerable, are a bit troubling:

"This indicates people have stopped even trying to patch," Graham said. "We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable. I'll scan again next month, then at the 6 month mark, and then yearly after that to track the progress."

Until more servers are patched, here’s what you can do to keep you and your data protected while on the Web:

List out all of the important websites you use and accounts you own. Think of all your online identities (see: social media accounts), but definitely jot down any apps or websites you use for banking, medical data, email or messaging. Think of stuff you don’t want others to access; as a guide, take a look at your bookmarks.
Check which of those sites is still vulnerable to Heartbleed. While CNET has a useful status list for a number of popular websites, there are online Heartbleed checkers, like the ones created by LastPass or Filippo Valsorda, as well as browser extensions for Chrome (Chromebleed) or Firefox (Heartbleed-Ext). For sites that are still affected by Heartbleed, you may want to hold off changing your password until a patch arrives, as you’d probably have to change your password again once it’s all fixed. Until then, avoid using the service, if possible.
For all sites that are no longer vulnerable to Heartbleed, you should change your passwords, especially if you haven’t done so recently. Use plenty of number and letter combinations but don’t use actual words. And if you can, vary your passwords with every site you use. It’s obviously not easy to have so many different passwords and remember all of them, which is why there are plenty of password management apps out there for you, including LastPass, 1Password, Dashlane, Lookout and PasswordBox.

See Also:

Two Democrats Have A Proposal To Dismantle The FCC Plan That Could Ruin The InternetYouTube Says It Will Block Musicians Who Don't Sign Up For Its New Paid ServiceIraq Shut Down Internet Access In 5 ProvincesGoogle's Internet Balloon Network Just Passed An Important MilestoneAT&T Was Hacked In April And Some Customers Had Their Social Security Numbers Stolen

SEE ALSO: Security Expert: On A Scale Of 1 To 10, The Heartbleed Bug Affecting Almost Everyone Online Is An 11